<?php
/*
 * Copyright 2007 by Aleksander Adamowski
 * This software is licensed under GPL v.3.0.
 * See the included file "LICENSE" for details.
 * 
 * This script serves LDAP userSMIMECertificate attribute as application/x-x509-email-cert binary document.
 * 
 * Accepts a single parameter: uid, based on which LDAP search is performed.
 */
require_once 'config.php';

$uid = $_GET['uid'];
// Defend against LDAP filter injection:
$uid = preg_replace('/[^-_a-zA-Z0-9]/', '', $uid);
$bind_uid = $_SERVER['PHP_AUTH_USER'];
// Defend against LDAP filter injection:
$bind_uid = preg_replace('/[^-_a-zA-Z0-9]/', '', $bind_uid);

$ds = ldap_connect($LDAP_SERVER);
$bind_sr = ldap_search($ds, $LDAP_PEOPLE, "(uid=$bind_uid)", array('dn'));
$bind_dn = ldap_get_dn($ds, ldap_first_entry($ds, $bind_sr));
$ldapbind = ldap_bind($ds, $bind_dn, $_SERVER['PHP_AUTH_PW']);
$sr = ldap_search($ds, $LDAP_PEOPLE, "(&(uid=$uid)(|(userSMIMECertificate=*)(userCertificate=*)))", array('userSMIMECertificate', 'userCertificate', 'modifyTimestamp', 'uid'));

if (ldap_count_entries($ds, $sr) == 1) {
	$entry = ldap_first_entry($ds, $sr);
	$attribs = ldap_get_attributes($ds, $entry);
	$entry_uid = $attribs['uid'][0];
	$cert_attrib = 'userSMIMECertificate';
	if (isset($attribs['userSMIMECertificate;binary'])) {
		$cert_attrib = 'userSMIMECertificate;binary';
	} elseif (isset($attribs['userSMIMECertificate'])) {
		$cert_attrib = 'userSMIMECertificate';
	} elseif (isset($attribs['userCertificate;binary'])) {
		$cert_attrib = 'userCertificate;binary';
	} elseif (isset($attribs['userCertificate'])) {
		$cert_attrib = 'userCertificate';
	} else {
		Header("Content-type: text/html"); 
		require_once 'nocache.php';
		session_write_close();
		exit('<H1>User has no certificate.</H1>');
	}
	$binary_values = ldap_get_values_len($ds, $entry, $cert_attrib);

// modifyTimestamp is OpenLDAP-specific - uncomment it if you need it:
/*
	$modifyTimestamp = ldap_get_values($ds, $entry, 'modifyTimestamp');
	$modifyTimestamp = preg_replace('/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([a-zA-Z]+)/', '$1-$2-$3 $4:$5:$6 $7', $modifyTimestamp[0]);
	$modifyTimestamp = date('D, d M Y H:i:s T', strtotime($modifyTimestamp));
*/
	//error_log('modifyTimestamp: '.$modifyTimestamp);
	
	if (isset($attribs['userSMIMECertificate;binary']) || isset($attribs['userSMIMECertificate'])) {
		Header("Content-type: application/x-x509-email-cert"); 
		Header("Content-Disposition: attachment; filename=\"userSMIMECertificate_$entry_uid.crt\"");
	} elseif (isset($attribs['userCertificate;binary']) || isset($attribs['userCertificate'])) {
		Header("Content-type: application/x-x509-user-cert"); 
		Header("Content-Disposition: attachment; filename=\"userCertificate_$entry_uid.crt\"");
	} else {
		Header("Content-type: text/html"); 
		require_once 'nocache.php';
		session_write_close();
		exit('<H1>User has no certificate.</H1>');
	}
	Header("X-Pad: avoid browser bug");
	require_once 'nocache.php';
	//Header("Last-Modified: $modifyTimestamp"); 
	//Header('Cache-Control: max-age=600');
	//Header("Expires: ".date('D, d M Y H:i:s T', strtotime('+1 day'))); 
	echo $binary_values[0];
} else {
	Header("Content-type: text/html"); 
	require_once 'nocache.php';
	session_write_close();

	echo '<H1>User has no certificate.</H1>';
}
?>
